Visual-Studio-Administrative-Templates/compliance.yml at main · microsoft/Visual-Studio-Administrative-Templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
schedules:
- cron: '0 0 */21 * *'
  displayName: 'Run every 21 days at 12:00 a.m.'
  branches:
    include:
    - main

trigger: none

parameters:
  - name: LogBugs
    displayName: Log bugs?
    type: boolean
    default: true

variables:
  - group: vssetup-apiscan
  - name: TeamName
    value: VSSetup
  - name: OutputName
    value: VisualStudioAdminTemplates
  - name: FinalDropPath
    value: $(Build.StagingDirectory)\finalDrop
  - name: ProjectName
    value: ADMXExtractor

resources:
  repositories:
    - repository: MicroBuildTemplate
      type: git
      name: 1ESPipelineTemplates/MicroBuildTemplate
      ref: refs/tags/release

extends:
  template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
  parameters:
    pool:
      name: VSEngSS-MicroBuild2022-1ES
    sdl:
      enableAllTools: true
      sourceAnalysisPool:
        name: AzurePipelines-EO
        image: 1ESPT-Windows2022
      binskim:
        scanOutputDirectoryOnly: true
      codeql:
        compiled:
          enabled: true
      prefast:
        enabled: true
      roslyn:
        break: false
      codeSignValidation:
        enabled: false # We don't sign our compliance builds
      tsa:
        enabled: ${{ parameters.LogBugs }}
        configFile: $(Build.SourcesDirectory)\.config\tsaoptions.json
        onboard: false # We already onboarded

    stages:
      - stage: Build
        jobs:
          - job: Build
            templateContext:
              mb:
                localization:
                  enabled: true
                  type: 'full'
                  languages: 'VS'
                  lsbuildVersion: 'V7'
                  feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json'

            steps:
              - template: /build/templates/build-steps-template.yml@self
                parameters:
                  outputNameWithExtension: $(OutputName).exe
                  finalDrop: $(FinalDropPath)
                  projectName: $(ProjectName)

              - task: CopyFiles@2
                displayName: Copy files for API scan
                inputs:
                  SourceFolder: $(Build.ArtifactStagingDirectory)
                  Contents: |
                    **\$(OutputName).?(exe|pdb|dll|xml)
                    **\$(ProjectName)\*.?(exe|pdb|dll|xml)
                    !**\*.Test.*
                  TargetFolder: $(Build.StagingDirectory)\apiscan-inputs
                  flattenFolders: true

              - task: CopyFiles@2
                displayName: Copy BoxStub for API scan
                inputs:
                  SourceFolder: $(Build.SourcesDirectory)
                  Contents: |
                    packages\VS.Setup.BootstrapperExternals*\**\boxstub.?(exe|pdb)
                  TargetFolder: $(Build.StagingDirectory)\apiscan-inputs
                  flattenFolders: true

              - task: CopyFiles@2
                displayName: Copy surrogate file for API scan
                inputs:
                  SourceFolder: $(Build.SourcesDirectory)\.config\apiscan\surrogates
                  Contents: |
                    apiscan-surrogate.xml
                  TargetFolder: $(System.ArtifactsDirectory)\apiscan-inputs

              - task: APIScan@2
                displayName: Run APIScan
                inputs:
                  softwareFolder: $(Build.StagingDirectory)\apiscan-inputs
                  softwareName: 'Microsoft.VisualStudioAdministrativeTemplates'
                  softwareVersionNum: '1'
                  toolVersion: Latest
                  surrogateConfigurationFolder: $(System.ArtifactsDirectory)\apiscan-inputs
                  azureSubscription: VSEng-APIScanSC
                env:
                  AzureServicesAuthConnectionString: RunAs=App;AppId=$(ApiScanClientId);TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47;ServiceConnectionId=93e24264-c5e6-4681-8175-ec8a41668480;
                  SYSTEM_ACCESSTOKEN: $(System.AccessToken)

              - task: PublishSecurityAnalysisLogs@3
                displayName: Publish 'SDLAnalysis-APIScan' artifact
                condition: succeededOrFailed()
                inputs:
                  ArtifactName: SDLAnalysis-APIScan
                  AllTools: false
                  APIScan: true

              - task: PostAnalysis@2
                displayName: Post Analysis
                inputs:
                  GdnBreakAllTools: false
                  GdnBreakGdnToolApiScan: true

              - task: TSAUpload@2
                displayName: Upload APIScan results to TSA
                inputs:
                  GdnPublishTsaOnboard: false
                  GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\.config\tsaoptions.json'
                  GdnPublishTsaExportedResultsPublishable: true
                continueOnError: true
                condition: and(succeededOrFailed(), eq(${{ parameters.LogBugs }}, 'true'))
                enabled: true